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Abstract 

We improve the "sieve" part of the number field sieve used in factoring integer 
and computing discrete logarithm. The runtime of our method is shorter than that 
of existing methods. Under some reasonable assumptions, we prove that it is less 
than two-thirds of the running time of the algorithm used before asymptotically with 
probability greater than 0.6. 



1 Introduction 

General number field sieve is used in factoring integer or computing the discrete logarithm. 
See, for example, [TJ [2] [3]. There are two time consuming parts mainly in the number field 
sieve. Namely, the part "sieving" , and the part "solving the linear equations" . The two parts 
are relatively independent and have the computational complexity in same order. In [4], the 
authors improved the step "solving the linear equations" for discrete logarithm problem. In 
this paper, we improve the step "sieve" . Our improvement work for both factoring integer 
and computing the discrete logarithm. The running time of our algorithm is less than the 
one in [5] [6] asymptotically. Under some reasonable assumptions, it is less than | of the 
running time of the algorithm used in [5] [B] asymptotically with probability greater than 
0.6. 

In section 2, we give the formulation of the problem which we want to solve, and describe 
the algorithm used before. In section 3, we describe our algorithm. In section 4, we prove 
that our algorithm is better than the algorithm used before. 



2 The problem and conventional algorithm 

Let us consider the following problem: 

Problem 2.1. Let f{x) be a monic polynomial of degree d with integer coefficient that 
bounded by an integer m and K be an algebraic number field isomorphic to Q[x]/(f(x)). Let 
8 be the image of x in K and Nm : K x — > Q x be the norm map. Let u be a positive 
integer. We construct a table T = {T(6, a)}o<b<« l | a |<i l of u lines and 2u + 1 cows with 



T(b,a) = 



if(a,b) = l; 

(a-bm)Nm(a-b9) if(a,b)^l. 
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Let y be a positive real number called "the smooth bound". For every element in the table, 
we wish to divide out all of its divisors of the form l e for all primes I bounded by y. 

The most trivial algorithm is the following: 

Algorithm 1 Sieve 
1: for prime < I < y, integer \a\ < u, < b < u, such that T{b, a) ^ do 
2: while l\T(b,a) do 
3: T(b,a)<-T(b,a)/l 
4: end while 
5: end for 



The following improved algorithm is widely used in integer factoring algorithms (see [jQ , 
[6])or algorithms of solving the discrete logarithm problem (see [2] [3] [5]). 

Algorithm 2 Sieve 



1: for prime I G (0, y] do 

2: ei <- m mod I G {0, 1, • • • ,1 — 1} 

3: Ei «- {x G {0, 1, • • • , / - 1} : f(x) = mod 1} 

4: end for 

5: for integer b G (0, it] do 

6: for prime I G (0, y], / { 6 do 

7: for a G [— u, u] l~l (6e/ + It) do 

8: while Z | T(b, a) do 

9: T(b,a)<-T(b,a)/l 

10: end while 

11: end for 

12: for a G [-u, u] n (6£^ ; + 11) do 

13: while I | T(b,a) do 

14: T(&,a) <-T(b,a)/l 

15: end while 

16: end for 

17: end for 

18: end for 



In Algorithm 2, we do not try to divide all the elements in the table by I more, but 
divide those divisible by I we know. Then we divide the quotient by I continually as long as 
it is divisible by I. Roughly speaking, for every b,l, we solve the equations 

a — bm = mod I or Nm(a — bff) = mod I 

of variable a, and then sieve. 

3 Our algorithm 

There is unnecessary computing still in algorithm 2. In fact, we can almost know which 
T(6, a) can be divided by I again, after it divided by / first. Roughly speaking, for every b, I, 
we can almost can solve the equations 

a - bm = mod l k or Nm(a - W) = mod l k 
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of variable a, for any k, and then sieve. Our new algorithm consists of 3 parts. 

First, we divide out all Z-power divisors caused by the term (a — bm): Let ej 1 ^ be the 
residue for m module I. We divide T{b,a) by Z and write the quotient in T(b,a) for all 
a e [— u,u] n [bef^ + ZZ). Let ej 2 ' be the residue for m module Z 2 . We divide T(b,a) by Z 
and write the quotient in T(6, a) for all a e \—u, u] n (6ep' + Z 2 Z). • • • 

Second, we divide out all the Z-power divisors caused by the term Nm(a — b6), for 
all a,b such that b e (0,it] is coprime to Z, and a mod Z is a single root of the equation 
Nm(a — W) =0 mod Z. By lemma 3.1 below we can do this as follows: Let £7; C 
{0, 1, • • -l — 1} be the set of single roots of the equation f(x) module Z. We can directly 
compute Ei by solve equation. We divide T(6, a) by Z and write the quotient in T(b, a) for 
all a e [-u,u] n {bE[ 1] + ZZ). Let E (2) C {0, 1, • • - Z 2 - 1} be the set of single roots of the 
equation f(x) module Z 2 . We can directly compute e\ 2 ^ from E^ by Newton's method. 
We divide T(b,a) by Z and write the quotient in T(b,a) for all a e [-u,u] D {bE\ 2) + Z 2 Z). 

Finally, we divide out all the Z-power divisors caused by the term Nm(a — W), for all 
a,b such that b G (0,u\ is coprime to Z, and a mod Z is a multiple root of the equation 
Nm(a — b8)=Q mod Z. By lemma 3.1 and lemma 3.2 below we can do this as follows: Let 
e\^ C {0, 1, • • -Z — 1} be the set of multiple roots of the equation f(x) module Z, we can 
directly compute E^ by solving the equation. We divide T(b, a) by Z and write the quotient 
in T(b, a) for all a E [—u, u] PI (bEj 1 ^ + ZZ). Lemma 3.2 below tells us that whether a root of 
f(x) = mod Z can be lifted to a root of f(x) = mod Z 2 is only dependent on its residue 
class module Z. Let e[ 2 ^ be the subset of E^ whose elements can be lifted to solutions 
of f(x) = mod Z 2 . We can compute E^ by fl-E^'s tests. Then we divide T(b,a) by Z 

~ (2) 

and write the quotient in T(b, a) for all a 6 [—u, u] n (bE\ ' + ZZ) one after another until 
Z|T(M). 

Now we give statements and proofs of lemma3.1 and lemma 3.2 mentioned above. 
Lemma 3.1. Ifl]b, there is a bijective 

{x £ Z/Z e Z; f(x) = mod Z e } — > {a G Z/Z e Z; 7Vm(a - 60) = mod Z e } 

X M> 6x 

/or aZZ e > 0. Moreover, in the situation e = 1, i/ie images of simple roots are simple, and 
the image of multiple roots are multiple. 

Proof. It is because 

Nm(a - b6) = (-b) d Nm(^- -9) = {-b) d f{^) 

■ 

Lemma 3.2. Let x, y be two integers and f be a polynomial over Z. Assume x = y mod Z 
is a multiple root of f(x) = mod Z. Then x mod Z 2 is a root of f(x) = mod Z 2 if and 
only if y mod Z 2 is a root of f(x) = mod I 2 . 

Proof. Let y = x + kl where k e Z. If x mod Z 2 is a root of f(x) = mod Z 2 , we have 

f(y)€f(x) + f'(x)kl + l 2 Z 
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by Taylor expansion. On the other hand, we know f'(x) = mod I. Therefore 

f(y)ef(x) + l 2 Z 



4 Complexity analysis 

We will compare the computational complexity of Algorithm 2 and Algorithm 3 . Con- 
sidering the practical situation, we make the assumption that y < Ku for some constant 
K. 

For (l,b) = l,e > 0, Let 

A b ' s := {\a\ < u; (a, b) = 1, a is a single root of Nm(a — b6) = mod 1} 
^b,m ._ ^ u . ^ 5) — l ; a i s a multiple root of Nm(a — b6) = mod /} 
A\i s := {a G A*' 8 ; Nm(a - bff) = mod Z e } 
A^' m := {a G A^ m ; Am(a - W) = mod l e } 
A\ e := {|a| < u; (a, 6) = 1, Nm(a -W) = mod l e } 
Bf e ■■= {\a\ < u;(a,b) = l,a-bm = mod l e } 

In Algorithm 2, the complexity of line 1 -line 4 is an infinitesimal of the complexity of 
line 5-linel8 as u — > oo. From line 5, the complexity of sieving the elements in the 6-th line 
of the table by prime I is 



C\ = |t£? (T(6, a) <- T(6, a) /Z for a G Bf ) 

+ttBf ( try to divide T(6, a) by I for a G Bf again ) 

+Pf 2 ( try to divide T(b, a) by / for a G B? 2 ) 

+jJBf 3 ( try to divide T(6, o) by / for a £ B? 3 ) 

H 

+$A b ( try to divide T(b, a) by Z for a G Af) 

+fA? ( try to divide T(6, a) by / for a e Af again) 

+\A% ( try to divide T(b, a) by / for a G Af 2 ) 

+tAf 3 ( try to divide T(6, a) by / for a G A b 3 ) 

H 



= $B* + ||Bf + |Bf 2 + j)B? 3 + • • • 

+Mr s + K' s + %A h p s + tt4 s + ... 

HA b r + K' m + »4 m + »4 m + • • ■ 
= p??(i + i+i + £ + ...) 

+^(1 + 1 + 1 + £ + •••) 

+tt ^' m + flA*'" 1 + ftA^ m + + • • • 

+2tJAf' m + «AjT + ^ 3 m + • • • 
Therefore the total complexity of Algorithm 2 is 

(1 + o(l)) ^integer 6e[i,u] Sprime Je[2,i/],if6 ^? as u ^ oo 
In the first part of Algorithm 3, the complexity of line 2-line 6 is an infinitesimal of the 
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Algorithm 3 sieve 

l: (First) 

2: for prime I G (0, y] do 

3: for e = 1,2, • • •log;[u(m+ 1)] do 

4: e[ e) <- m mod l e G {0, 1, • • • , l e - 1} 

5: end for 

6: end for 

7: for integer b G (0, u] do 

8: for prime I G (0, y], Z { 6 do 

9: for e = 1,2, • • • logj [u(m + 1)] do 

10: for a G [-u, u] n (6e| e) + l e Z) do 

11: T(b,a) ^T(b,a)/l 

12: end for 

13: end for 

14: end for 

15: end for 

16: (Second) 

17: for prime I G (0, y] do 

18: for e = 1,2, • • ■\og l [m(d+ l)u d ] do 

19: E\ e) «- {x = 0, 1, • • • l e - 1 : x is a single root of f(x) = mod l e } 

20: end for 

21: end for 

22: for integer b G (0, u] do 

23: for prime I G (0,y],l\b do 

24: for e = 1, 2, • • -log ; [m(rf + l)u d ] do 

25: for a G [-u, u] n (6£;, (e) + TZ) do 

26: T(b,a)<-T(b,a)/l 

27: end for 

28: end for 

29: end for 

30: end for 

31: (Finally) 

32: for prime I G (0, y] do 

33: <— {a; = 0, 1, • • • / — 1 : x is a multiple root of f(x) = mod Z} 

34: E\ 2) <- {x E e\ 1] : f(x) = mod I 2 } 

35: end for 

36: for integer b G (0, u] do 

37: for prime I G (0,y],l\b do 

38: for a G [-it, u] n (6£; ; (1) + ZZ) do 

39: T{b,a) <r-T(b,a)/l 

40: end for 

41: for a G [-u, u] n (6£; ; (2) + 11) do 

42: while I | T(6, a) do 

43: T(b,a) ±-T(b,a)/l 

44: end while 

45: end for 

46: end for 

47: end for 
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complexity of line 7-line 15 as u — > oo. The latter is 

%B\ + t(B» + «Bf 3 + ■ ■ • 

The complexity of line 17-line 21 is an infinitesimal of the complexity of line 22-line 30 as 
u — > oo. The latter is 

%A h i S + ^ + U"/ + ■■■ 
= «4' 5 (l + i + ^) 

= jh^r 

The complexity of line 32-line 35 is an infinitesimal of the complexity of line 36-line 47 as 
u — ^ oo. The latter is 

+ ttAfr + + • • • 

Therefore the total complexity of Algorithm 3 is 

(l + o(l)) £ ]T £> 

integer 6e[i,«] prime ie[2,y] ,if6 

where 



as w — y oo, 



It is easy to see that the complexity of Algorithm 3 is less than the complexity of 
Algorithm 2 gradually. Moreover, if for any (I, b) — 1, we have ^Ap™ = and then we have 
D\ < §Cf, because 

T^IBf < | x ™ET$Bf for any (I, b) = 1 
j+fK" < I x 2 ^A h { S for any (I, b) = 1 
%A\ m < | x 2^f' m for any (/, 6) = 1 



3 ~ ^t-H 1 / 

jjA^™ = for any (I, b) = 1 and all e > 1 



Therefore we get 



Proposition 4.1. Let K > be a constant. Let u — > oo and y < Ku. Then the complexity 
of Algorithm 3 is less than the complexity of Algorithm 2 asymptotically. Moreover, if for 
any (l,b) = 1 we have §Ap m — 0, then the complexity of Algorithm 3 is less than | of the 
complexity of Algorithm 2 asymptotically. ■ 

The following proposition tolls us that the condition "for any (b, I) = l,$Ap m = 0" has 
much chance to be realized. 

Proposition 4.2. Suppose f(x) is a random polynomial of degree d over Z such that f(x) 
mod l 2 is uniform distribution on {h(x) £ Z/7 2 Z[x]; deg h < d} for all prime I < y, and 
{Ri = p r i me i< y are independent random events, where Ri := {x e Z/Z 2 Z;/(x) = 
mod l 2 ,x is a multiple root of f(x) = mod 1} for any prime I < y. Then the probability 
of event (ftA^ 1 ™ = 0, for any b E (0, u], prime I < y, s.t (I, b) = 1) is greater than 0.6. 

Proof. For any prime I, we have 

P(Wi + o) 

= P(3 i = 0,1, ■■■l-l, s.t. ieRi) (lemma 3.2) 
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For any i = 0, 1, - • ■ Z — 1, the asuumption that f(x) mod Z 2 is uniform distribution on 
{h(x) G Z/Z 2 Z[x]; dcg h < d} and lemma 4.3 below show 

P(f(i) = mod I 2 , f'(i) = mod Z) = 1 

i.e. P(i G P;) = p-. Hence P(jjP; / 0) < -p. The assumption that {Ri — 0}p rmie /<y are 
independent random events implies 

^(Eprime l< y = 0) 

= Ilprime !<„ *W = 0) 

= Ilprime (<j/(l — I*) 

> riz : prime 0- ~ f) 
= 1/C(2)>0.6, 

where ((s) is the Riemann's Zeta function. 

Let R\ := {a G Z/Z 2 Z; JVm(a - 66») = mod I 2 , a is a multiple root of Nm(a - W) = 
mod Z}. From lemma 3.1, we know 

tjP, 6 = jjP, for all (6, /) = 1 

Therefore 

P{%A b A m = 0, for any 6 G (0, u], prime Z < y, s.t (Z, b) = 1) 
> P(jjP, b = 0, for any b G (0,u], prime I < y, s.t (l,b) = 1) 
= = 0, for any prime I < y) > 0.6 

■ 

Now we give the statement and proof of lemma 4.3 mentioned above. 
Lemma 4.3. Let I be a prime and d be a positive integer. For any i G Z/Z 2 Z, we have 

P(h(i) = mod l 2 ,h'(i) = mod I \ h(x) G Z/l 2 Z[x], dcg h = d, momc) = ^ 

Proof.Consider the surjective homomorphism of abelian group 

{h(x) G Z/l 2 Z[x];dcgh < d} — > Z/Z 2 Z®Z/ZZ 

/i(x) M> mod I 2 , h'(i) mod/). 

We have 

P(h(i)=0 mod I 2 , h'(i) =0 mod Z | Zi(x) G Z/Z 2 Z[a;], dcg Zi <d) = ^. 
Similarly, we have 

P(h(i) = mod l 2 ,ti(i) = mod Z | G Z/Z 2 Z[a;], dcg Zi < d- 1) = ^. 

Let 

H :={he Z/l 2 Z[x];dcgf < d} 
H° := {h G H; h(i) = mod Z 2 , = mod 1} 
Hiz ■= {h G H; the leading coefficient of h is in ZZ} 
Hj> z := P° n /// 

P c := {/i G P; the leading coefficient of h is c} for any c G Z/Z 2 Z 
P c °:=P c nP° for any c G Z/Z 2 Z 
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It is easy to see that 



Hence, we have 



H = {he Z/l 2 Z[x\;degg < d- 1} 

i? ° = {ft G H ; h(i) = mod I 2 , h'(i) = mod 1} 



P(h eH°\heH ) = P{heH°\h€H) = j S 



Let us consider the commutative diagram of abelian groups 

H° Z/l 2 Z ■ 




-^0 



id 



z/i 2 z- 



o 



where the map from H to Z/l 2 Z is defined by ft i-^ ( the leading coefficient of ft,). The 
vertical map in the right side is an identity hence we have 



P(h e #° z | ft e H a ) = P(heH° \heH) 



On the other hand, 



P{h G ff° z | ft G #;z) 
= Ei=o ^ e I ft G fl-d)P(/i G H cl | ft G 
= Ec=o ^ e AS I h e ffd)^ G H c i | ft G H, z ) 



= [P(heH°\heH Q ) + j: c - = \]x 
= j[w + E l c l\P(heH ( >\heH c . 



Hence we have 



l-i 

Y,P(h£H° cl \heH cl ) = 

c=l 



l-l 



For any c G (Z/l 2 Z) x , we have a commutative diagram of sets 



Hi 



H x > H c 

where the horizontal map is defined by ft M> eft. Hence we have 

P(h eH°\he H^ = P(h G H° I ft G H c ) for any c G (Z/Z 2 Z) X 

Therefore 

jt = P(h G H° | ft G H) 

= E ceZ /ra P(heH°\he H c )P(h G H c | if) 

= Ec€Z/PZ £ fl? | ft G ff c )P(# c | if) 

= [P(ft G ff ° | ft G ffo) + El=i P(h G I h e ffd) + E ce(Z/;2Z )x G ff c ° | ft G ff c )] 

= + V + a 2 - 0^C» e #° I & e #i)] x f 



Hence we have 

P(h e H ( > I h e H x ) - i 

■ 

Finally, from proposition 4.1 and proposition 4.2, we get the main conclusion of this 
paper: 

Proposition 4.4. Let K > be a constant. Let u — > oo and y < Ku, then the complexity 
of Algorithm 3 is less than the complexity of Algorithm 2 asymptotically. Moreover, suppose 
f(x) is a random polynomial of degree d over Z such that f(x) mod I 2 is uniform distri- 
bution on {h{x) € Z/Z 2 Z[a;]; deg h < d} for all prime I < y, and {Ri = 4 1 } prime i<y are inde- 
pendent random events, where Ri := {x E Z/Z 2 Z; f(x) = mod I 2 , x is a multiple root of f(x) = 
mod /} for any prime I < y, then the complexity of Algorithm 3 is less than | of the com- 
plexity of Algorithm 2 asymptotically with probability greater than 0.6. ■ 
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